cbcvebase.

Asustor Data Master vulnerabilities

37 known vulnerabilities affecting asustor/data_master.

Total CVEs
37
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL4HIGH14MEDIUM17LOW2

Vulnerabilities

Page 2 of 2
CVE-2018-12315P3MEDIUMCVSS 6.5v3.1.12018-12-04
CVE-2018-12315 [MEDIUM] CWE-640 CVE-2018-12315: Missing verification of a password in ASUSTOR ADM version 3.1.1 allows attackers to change account p Missing verification of a password in ASUSTOR ADM version 3.1.1 allows attackers to change account passwords without entering the current password.
nvd
CVE-2026-24935P3MEDIUMCVSS 5.6≥ 4.1.0.rhu2, ≤ 4.3.3.rof1≥ 5.0.0.ra82, < 5.1.2.re512026-02-03
CVE-2026-24935 [MEDIUM] CWE-295 CVE-2026-24935: A third-party NAT traversal module fails to validate SSL/TLS certificates when connecting to the sig A third-party NAT traversal module fails to validate SSL/TLS certificates when connecting to the signaling server. While subsequent access to device services requires additional authentication, a Man-in-the-Middle (MitM) attacker can intercept or redirect the NAT tunnel establishment. This could allow an attacker to disrupt service availability or f
nvd
CVE-2018-15698P4MEDIUMCVSS 6.5≤ 3.1.52018-08-27
CVE-2018-15698 [MEDIUM] CWE-200 CVE-2018-15698: ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to read any ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to read any file on the file system when providing the full path to loginimage.cgi.
nvd
CVE-2026-24932P4MEDIUMCVSS 5.9≥ 4.1.0.rhu2, ≤ 4.3.3.rof1≥ 5.0.0.ra82, < 5.1.2.re512026-02-03
CVE-2026-24932 [MEDIUM] CWE-295 CVE-2026-24932: The DDNS update function in ADM fails to properly validate the hostname of the DDNS server's TLS/SSL The DDNS update function in ADM fails to properly validate the hostname of the DDNS server's TLS/SSL certificate. Although the connection uses HTTPS, an improper validated TLS/SSL certificates allows a remote attacker can intercept the communication to perform a Man-in-the-Middle (MitM) attack, which may obtain the sensitive information of DDNS upda
nvd
CVE-2025-13052P3MEDIUMCVSS 5.9≥ 4.1.0.RHU2, < 4.3.3.ROF1≥ 5.0.0.ra82, < 5.1.1.RCI12025-12-12
CVE-2025-13052 [MEDIUM] CWE-295 CVE-2025-13052: When the user set the Notification's sender to send emails to the SMTP server via msmtp, an improper When the user set the Notification's sender to send emails to the SMTP server via msmtp, an improper validated TLS/SSL certificates allows an attacker who can intercept network traffic between the SMTP client and server to execute a man-in-the-middle (MITM) attack, which may obtain the sensitive information of the SMTP. Affected products and versio
nvd
CVE-2018-15697P4MEDIUMCVSS 6.5≤ 3.1.52018-08-27
CVE-2018-15697 [MEDIUM] CWE-200 CVE-2018-15697: ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to read any ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to read any file on a share by providing the full path. For example, /home/admin/.ash_history.
nvd
CVE-2018-12319P4HIGHCVSS 7.5v3.1.12018-12-04
CVE-2018-12319 [HIGH] CWE-79 CVE-2018-12319: Denial-of-service in the login page of ASUSTOR ADM 3.1.1 allows attackers to prevent users from sign Denial-of-service in the login page of ASUSTOR ADM 3.1.1 allows attackers to prevent users from signing in by placing malformed text in the title.
nvd
CVE-2018-12308P4MEDIUMCVSS 6.5v3.1.12018-12-04
CVE-2018-12308 [MEDIUM] CWE-200 CVE-2018-12308: Encryption key disclosure in share.cgi in ASUSTOR ADM version 3.1.1 allows attackers to obtain the e Encryption key disclosure in share.cgi in ASUSTOR ADM version 3.1.1 allows attackers to obtain the encryption key via the "encrypt_key" URL parameter.
nvd
CVE-2023-4475P4MEDIUMCVSS 5.5≥ 4.0.6.ris1, < 4.2.2.ri612023-08-22
CVE-2023-4475 [MEDIUM] CWE-552 CVE-2023-4475: An Arbitrary File Movement vulnerability was found in ASUSTOR Data Master (ADM) allows an attacker t An Arbitrary File Movement vulnerability was found in ASUSTOR Data Master (ADM) allows an attacker to exploit the file renaming feature to move files to unintended directories. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.
nvd
CVE-2018-15699P4MEDIUMCVSS 6.1≤ 3.1.52018-08-27
CVE-2018-15699 [MEDIUM] CWE-79 CVE-2018-15699: ASUSTOR Data Master 3.1.5 and below makes an HTTP request for a configuration file that is vulnerabl ASUSTOR Data Master 3.1.5 and below makes an HTTP request for a configuration file that is vulnerable to XSS. A man in the middle can take advantage of this by inserting Javascript into the configuration files Version field.
nvd
CVE-2023-3699P4MEDIUMCVSS 5.5≥ 4.0.6.ris1, < 4.2.3.rk912023-08-22
CVE-2023-3699 [MEDIUM] CWE-269 CVE-2023-3699: An Improper Privilege Management vulnerability was found in ASUSTOR Data Master (ADM) allows an unpr An Improper Privilege Management vulnerability was found in ASUSTOR Data Master (ADM) allows an unprivileged local users to modify the storage devices configuration. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.
nvd
CVE-2018-12305P4MEDIUMCVSS 6.1v3.1.12018-12-04
CVE-2018-12305 [MEDIUM] CWE-79 CVE-2018-12305: Cross-site scripting in File Explorer in ASUSTOR ADM version 3.1.1 allows attackers to execute JavaS Cross-site scripting in File Explorer in ASUSTOR ADM version 3.1.1 allows attackers to execute JavaScript by uploading SVG images with embedded JavaScript.
nvd
CVE-2018-12310P4MEDIUMCVSS 5.4v3.1.12018-12-04
CVE-2018-12310 [MEDIUM] CWE-79 CVE-2018-12310: Cross-site scripting in the Login page in ASUSTOR ADM version 3.1.1 allows attackers to execute Java Cross-site scripting in the Login page in ASUSTOR ADM version 3.1.1 allows attackers to execute JavaScript via the System Announcement feature.
nvd
CVE-2018-15696P4MEDIUMCVSS 4.3≤ 3.1.52018-08-27
CVE-2018-15696 [MEDIUM] CWE-200 CVE-2018-15696: ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to enumerat ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to enumerate all user accounts via user.cgi.
nvd
CVE-2018-12311P4MEDIUMCVSS 5.4v3.1.12018-12-04
CVE-2018-12311 [MEDIUM] CWE-79 CVE-2018-12311: Cross-site scripting vulnerability in File Explorer in ASUSTOR ADM version 3.1.1 allows attackers to Cross-site scripting vulnerability in File Explorer in ASUSTOR ADM version 3.1.1 allows attackers to execute arbitrary JavaScript when a file is moved via a malicious filename.
nvd
CVE-2026-24934P4LOWCVSS 3.7≥ 4.1.0.rhu2, ≤ 4.3.3.rof1≥ 5.0.0.ra82, < 5.1.2.re512026-02-03
CVE-2026-24934 [LOW] CWE-295 CVE-2026-24934: The DDNS function uses an insecure HTTP connection or fails to validate the SSL/TLS certificate when The DDNS function uses an insecure HTTP connection or fails to validate the SSL/TLS certificate when querying an external server for the device's WAN IP address. An unauthenticated remote attacker can perform a Man-in-the-Middle (MitM) attack to spoof the response, leading the device to update its DDNS record with an incorrect IP address. Affected prod
nvd
CVE-2025-13053P4LOWCVSS 3.7≥ 4.1.0.RHU2, < 4.3.3.ROF1≥ 5.0.0.ra82, < 5.1.1.RCI12025-12-12
CVE-2025-13053 [LOW] CWE-311 CVE-2025-13053: When a user configures the NAS to retrieve UPS status or control the UPS, a non-enforced TLS certifi When a user configures the NAS to retrieve UPS status or control the UPS, a non-enforced TLS certificate verification can allow an attacker able to intercept network traffic between the client and server can perform a man-in-the-middle (MITM) attack, which may obtain the sensitive information of the UPS server configuation. This issue affects ADM: fro
nvd
Asustor Data Master vulnerabilities | cvebase